1# Go implementation of in-toto
2[](https://github.com/in-toto/in-toto-golang/actions?query=workflow%3Abuild) [](https://coveralls.io/github/in-toto/in-toto-golang) [](https://pkg.go.dev/github.com/in-toto/in-toto-golang) [](https://goreportcard.com/report/github.com/in-toto/in-toto-golang)
3
4
5Go implementation of the
6[in-toto specification](https://github.com/in-toto/docs/blob/master/in-toto-spec.md).
7
8## Docs
9
10To read the documentation along with some examples, run:
11
12```bash
13godoc -http :8080
14```
15
16and navigate to `localhost:8080/pkg/github.com/in-toto/in-toto-golang/`
17
18Alternatively, you can use [pkg.go.dev](https://pkg.go.dev/github.com/in-toto/in-toto-golang).
19
20## Example
21
22A very simple example, just to help you starting:
23
24```go
25package main
26
27import (
28 "time"
29 toto "github.com/in-toto/in-toto-golang/in_toto"
30)
31
32func main() {
33 t := time.Now()
34 t = t.Add(30 * 24 * time.Hour)
35
36 var keys = make(map[string]toto.Key)
37
38 var metablock = toto.Metablock{
39 Signed: toto.Layout{
40 Type: "layout",
41 Expires: t.Format("2006-01-02T15:04:05Z"),
42 Steps: []toto.Step{},
43 Inspect: []toto.Inspection{},
44 Keys: keys,
45 },
46 }
47
48 var key toto.Key
49
50 key.LoadKey("keys/alice", "rsassa-pss-sha256", []string{"sha256", "sha512"})
51
52 metablock.Sign(key)
53
54 metablock.Dump("root.layout")
55}
56```
57
58## Building
59
60Download the source, run `make build`.
61
62## CLI
63
64The CLI reference can be found in the autogenerated [docs](doc/in-toto.md).
65
66## Integration with SPIFFE/SPIRE
67
68This implementation of in-toto has been integrated with SPIFFE/SPIRE. The
69integration is made possible by
70[ITE-7](https://github.com/in-toto/ITE/blob/master/ITE/7/README.adoc), an
71enhancement that adds support for X.509 signing to in-toto.
72
73### Running the Demo
74
75To run the demo, pull down the source code, install Go, and run
76`make test-verify`. This will use openssl to generate a certificate chain.
77
78To run the demo using SPIRE, pull down the source code, install Go and Docker,
79and run `make test-spiffe-verify`.
80
81SPIFFE compliant Leaf certificates are generated with SVIDs corresponding to
82functionaries. These certificates are consumed by in-toto to sign link metadata
83and the layout policy.
84
85During the in-toto verification process, certificate constraints are checked to
86ensure the build step link meta-data was signed with the correct SVID.
87
88### Layout Certificate Constraints
89
90Currently the following constraints supported:
91
92```json
93{
94 "cert_constraints": [{
95 "common_name": "write-code.example.com",
96 "dns_names": [
97 ""
98 ],
99 "emails": [
100 ""
101 ],
102 "organizations": [
103 "*"
104 ],
105 "roots": [
106 "*"
107 ],
108 "uris": [
109 "spiffe://example.com/write-code"
110 ]
111 }, {
112 "uris": [],
113 "common_names": ["Some User"]
114 }]
115}
116```
117
118## Not (yet) supported
119
120This golang implementation was focused on verification on admission controllers
121and kubectl plugins. As such, it focused on providing a strong, auditable set
122of core functions rather than a broad and (possibly) unstable feature set. In
123other words, we believe that the current feature set is stable enough for
124production use.
125
126If any of these features are necessary for your use case please let us know and
127we will try to provide them as soon as possible. Alternatively we welcome pull
128requests with feature additions!
129
130* [GPG keys](https://github.com/in-toto/in-toto-golang/issues/26)
View as plain text